I've written up a paper that describes some useful tools/techniques for deconstructing web based exploits:
Analyzing Browser Based Vulnerability Exploitation Incidents
The paper started as a blog entry and it remains a blog entry at its core. But...